db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bpendle...@apache.org
Subject svn commit: r1686755 - in /db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests: suites/XMLSuite.java tests/lang/XMLXXETest.java
Date Sun, 21 Jun 2015 20:34:08 GMT
Author: bpendleton
Date: Sun Jun 21 20:34:08 2015
New Revision: 1686755

URL: http://svn.apache.org/r1686755
Log:
DERBY-6810: Add regression tests for XXE vulnerability

This change adjusts XMLXXETest.testDerby6807FileAccess() slightly so
that it doesn't add an extra File.separator, which appeared to throw
off the file: scheme parsing on Unix platforms and caused the test to
misbehave.

For me, the test now behaves as expected on both Windows and Linux.

This change also re-adds XMLXXEtest to XMLSuite so that it will get
run by the main Jenkins build scripts and we can see how it behaves
on those platforms.

Modified:
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/suites/XMLSuite.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/suites/XMLSuite.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/suites/XMLSuite.java?rev=1686755&r1=1686754&r2=1686755&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/suites/XMLSuite.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/suites/XMLSuite.java
Sun Jun 21 20:34:08 2015
@@ -50,6 +50,7 @@ public final class XMLSuite extends Base
         suite.addTest(org.apache.derbyTesting.functionTests.tests.lang.XMLBindingTest.suite());
         suite.addTest(org.apache.derbyTesting.functionTests.tests.lang.XMLMissingClassesTest.suite());
         suite.addTest(org.apache.derbyTesting.functionTests.tests.lang.XMLConcurrencyTest.suite());
+        suite.addTest(org.apache.derbyTesting.functionTests.tests.lang.XMLXXETest.suite());
         
         return suite;
     }

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java?rev=1686755&r1=1686754&r2=1686755&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java
Sun Jun 21 20:34:08 2015
@@ -99,11 +99,14 @@ public final class XMLXXETest extends Ba
         
         s.execute("CREATE TABLE xml_data(xml_col XML)");
 
-        s.execute("INSERT INTO xml_data(xml_col) VALUES(XMLPARSE(DOCUMENT" 
+        String stmt = "INSERT INTO xml_data(xml_col) VALUES(XMLPARSE(DOCUMENT" 
                 + "'<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:"
-	        + File.separator    
                 + path +"\" >]><yolo>&xxe;</yolo>'"
-                + "PRESERVE WHITESPACE))");
+                + "PRESERVE WHITESPACE))";
+
+	// System.out.println( stmt );
+
+	s.execute( stmt );
 
 	// XXX: The next result is wrong. The expected behavior is that the
 	// query should be rejected as a security violation. See DERBY-6807



Mime
View raw message